DNS root zone key boost

The internet's DNS root zone is about to get more secure with the rollout of a 2048-bit zone signing key (ZSK), in place of today's 1024-bit RSA key.

The change reflects a gradual increase in the digital security of this critical piece of internet infrastructure. With the recent introduction of DNSSEC, the 1024-bit ZSK now represents the weakest link in the chain, according to a blog post by the company that oversees its operation, Verisign.

The ZSK works in conjunction with the Key Signing Key (KSK) to ensure the top-level map of the world's DNS system has not been tampered with. The KSK is already 2048-bit, but changing the ZSK has the potential to cause problems due to the increased size of DNS responses.

Verisign is pretty confident that the increase response size won't cause them to be fragmented – at which point all sorts of things could start breaking – but nevertheless it is being cautious and has a created a test page at keysizetest.verisignlabs.com for people to check their network, because, you know, it's still the DNS.

A "transitional" ZSK will be signed later this month at the quarterly key signing ceremony, and the first 2048-bit ZSK key will be published in the root zone on September 20. There will then be 10 days of frantic DNS watching to make sure nothing breaks. If there are problems, the new key will be unpublished; if not, October 1, 2016 will see the new, stronger ZSK in place and a stronger root zone. ®